In § 164.518, we are proposing general administrative requirements for covered entities. We would require all covered entities to designate a privacy official, train members of their workforce regarding privacy requirements, safeguard protected health information, and establish sanctions for members of the workforce who do not abide by the entity’s privacy policies and procedures. In addition, we are proposing that covered plans and providers be required to establish a means for individuals to complain to the covered plan or provider if they believe that their privacy rights have been violated. In the discussions of each proposed provision, we provide examples of how different kinds of covered entities could satisfy these requirements.

In proposed § 164.518(a)(1), we would require covered entities to designate an employee or other person to serve as the official responsible for the development of policies and procedures for the use and disclosure of protected health information. The designation of an official would focus the responsibility for development of privacy policy.

We considered whether covered entities should be required to designate a single official or an entire board. We concluded that a single official would better serve the purposes of focusing the responsibility and providing accountability within the entity. The implementation of this requirement would depend on the size of the entity. For example, a small physician’s practice might designate the office manager as the privacy official, and he or she would assume this as one of his or her broader administrative responsibilities. A large entity might appoint a person whose sole responsibility is privacy policy, and he or she might choose to convene a committee representing several different components of the entity to develop and implement privacy policy.

In proposed § 164.518(a)(2), we would require a covered entity to designate a contact person or office to receive complaints and provide information about the matters covered by the entity’s notice. The covered entity could, but would not be required to, designate the designated privacy official as the entity’s contact person.

In proposed § 164.512, we would require the covered plan or provider’s privacy notice to include the name of a contact person for privacy matters. We would not require that the contact person and the designated privacy official be the same person. This would be left to the discretion of each covered entity.

In proposed § 164.518(b), we would require covered entities to provide training on the entities policies and procedures with respect to protected health information. Each entity would be required to provide initial training by the date on which this proposed rule becomes applicable. After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time period after joining the entity. In addition, we are proposing that when a covered entity makes material changes in its privacy policies or procedures, it would be required to retrain those members of the workforce whose duties are directly affected by the change within a reasonable time of making the change.

The entities would be required to train all members of the workforce (e.g., all employees, volunteers, trainees, and other persons under the direct control of a persons working on behalf of the covered entity on an unpaid basis who are not business partners) who are likely to have contact with protected health information

Upon completion of the training, the person would be required to sign a statement certifying that he or she received the privacy training and will honor all of the entity’s privacy policies and procedures. Entities would determine the most effective means of communicating with their workforce. For example, in a small physician practice, the training requirement could be satisfied by providing each new member of the workforce with a copy of the practice’s information policies and requiring members of the workforce to acknowledge that they have reviewed the policies. A large health plan could provide for a training program with live instruction, video presentations or interactive software programs. The small physician practice’s solution would not protect the large plan’s data, and the plan’s solution would be neither economically feasible nor necessary for the small physician practice.

At least once every three years after the initial training, covered entities would be required to have each member of the workforce sign a new statement certifying that he or she will honor all of the entity’s privacy policies and procedures. The initial certification would be intended to make members of the workforce aware of their duty to adhere to the entity’s policies and procedures. By requiring a recertification every three years, they would be reminded of this duty.

We considered several different options for recertification. We considered proposing that members of the workforce be required to recertify every six months, but concluded that such a requirement would be too burdensome. We considered proposing that recertification be required annually consistent with the recommendations of The American Health Information Management Association (Brandt, Mary D., Release and Disclosure: Guidelines Regarding Maintenance and Disclosure of Health Information, 1997). We concluded that annual recertification could also impose a significant burden on covered entities.

We also considered requiring that the covered entity provide “refresher” training every three years in addition to the recertification. We concluded that our goals could be achieved by only requiring recertification once every three years, and retraining in the event of material changes in policy. We are soliciting comment on this approach.

In proposed § 164.518(c), we would require covered entities to put in place administrative, technical, and physical safeguards to protect against any reasonably anticipated threats or hazards to the privacy of the information, and unauthorized uses or disclosures of the information. We proposed similar requirements for certain electronic information in the Notice of Proposed Rulemaking entitled the Security and Electronic Signature Standards (HCFA-0049-P), which can be found at 63 FR 43241. We are proposing parallel and consistent requirements for safeguarding the privacy of protected health information.

In proposed § 164.518(d), we would require covered plans and providers to have some mechanism for receiving complaints from individuals regarding the covered plan’s or provider’s compliance with the requirements of this proposed rule. The covered plan or provider would be required to accept complaints about any aspect of their practices regarding protected health information. For example, individuals would be able to file a complaint when they believe that protected health information relating to them has been used or disclosed improperly, that an employee of the plan or provider has improperly handled the information, that they have wrongfully been denied access to or opportunity to amend the information, or that the entity’s notice does not accurately reflect its information practices. We would not require that the entity develop a formal appeals mechanism, nor that “due process” or any similar standard be applied. We would not require that covered entities respond in any particular manner or time frame. We are proposing two basic requirements for the complaint process. First, the covered plan or provider would be required to identify a contact person or office in the notice of information practices for receiving complaints. This person or office could either be responsible for handling the complaints or could put the individual in touch with the appropriate person within the entity to handle the particular complaint. See proposed § 164.512. This person could, but would not have to be, the entity’s privacy official. See § 164.518(a)(2). Second, the covered plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of the resolution, if any.

Covered plans and providers could implement this requirement through a variety of mechanisms based on their size and capabilities. For example, a small practice could assign a clerk to log in written and/or verbal complaints as they are received, and assign one physician to review all complaints monthly, address the individual situations and make changes to policies or procedures as appropriate. Results of the physician's review of individual complaints then could be logged by the clerk. A larger provider or health plan could choose to implement a formal appeals process with standardized time frames for response.

We considered requiring covered plans and providers to provide a formal internal appeal mechanism, but rejected that option as too costly and burdensome for some entities. We also considered eliminating this requirement entirely, but rejected that option because a complaint process would give covered plans or providers a way to learn about potential problems with privacy policies or practices, or training issues. We also hope that providing an avenue for covered plans or providers to address complaints would lead to increased consumer satisfaction. We believe this approach strikes a reasonable balance between allowing covered plans or providers flexibility and accomplishing the goal of promoting attention to improvement in privacy practices. If an individual and a covered plan or provider are able to resolve the individual’s complaint, there may be no need for the individual to file a complaint with the Secretary under proposed § 164.522(b). However, an individual has the right to file a complaint with the Secretary at any time. An individual may file a complaint with the Secretary before, during, after, or concurrent with filing a compliant with the covered plan or provider or without filing a complaint with the covered plan or provider.

We are considering whether modifications of these complaint procedures for intelligence community agencies may be necessary to address the handling of classified information and solicit comment on the issue.

In proposed § 164.518(e), we would require all covered entities to develop and apply when appropriate sanctions for failure to comply with policies or procedures of the covered entity or with the requirements of this proposed rule. All members of the workforce who have regular contact with protected health information should be subject to sanctions, as would the entity’s business partners. Covered entities would be required to develop and impose sanctions appropriate to the nature of the issue. The type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicates a pattern or practice of improper use or disclosure of protected health information. Sanctions could range from a warning to termination.

We considered specifying particular sanctions for particular kinds of violations of privacy policy, but rejected this approach for several reasons. First, the appropriate sanction will vary with the entity’s particular policies. Because we cannot anticipate every kind of privacy policy in advance, we cannot predict the response that would be appropriate when that policy is violated. In addition, it is important to allow covered entities to develop the sanctions policies appropriate to their business and operations.

We propose that covered entities be required to have procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information by their members of their workforce or business partners.

With respect to business partners, we also propose that covered entities have an affirmative duty to take reasonable steps in response to breaches of contract terms. For example, a covered entity that becomes aware that a business partner has improperly disclosed protected health information could require that business partner to take steps to retrieve the disclosed information. The covered entity also could require that business partner to adopt new practices to better assure that protected health information is appropriately handled. Covered entities generally would not be required to monitor the activities of their business partners, but would be required to take steps to address problems of which they become aware, and, where the breach is serious or repeated, would also be required to monitor the business partner’s performance to ensure that the wrongful behavior has been remedied. For example, the covered entity could require the business partner to submit reports or subject itself to audits to demonstrate compliance with the contract terms required by this rule. Termination of the arrangement would be required only if it becomes clear that a business partner cannot be relied upon to maintain the privacy of protected health information provided to it.

We expect that sanctions would be more formally described and consistently carried out in larger, more sophisticated entities. Smaller, less sophisticated entities would be given more latitude and flexibility. For such smaller entities and less sophisticated entities, we would not expect a prescribed sanctions policy, but would expect that actions be taken if repeated instances of violations occur.

Survey Disclaimer

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0990-0379. The time required to complete this information collection is estimated to average 5 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: U.S. Department of Health & Human Services, OS/OCIO/PRA, 200 Independence Ave., S.W., Suite 336-E, Washington D.C. 20201, Attention: PRA Reports Clearance Officer.